Getting Data In

Problem in displaying timestmap

Jananee_iNautix
Path Finder

Hi ,

There is a requirement to change the time format from "04/04/14 13:11:37" to "Mon April 04 2014 13:11:37" .I tried the search query

index=fxr SNM* ASRRLUI | rex "^\S+\s(?<unique_field>\S+.\S+) ::"|transaction unique_field startswith="User logged off" endswith="Processing complete"| rex field=_raw "::\s(?<success_t>\S+\s\d+:\d+:\d+) :: User logged off"|eval Output_Timestamp=strptime(success_t,"%y/%m/%d %H:%M:%S")|eval Timestamp=strftime(Output_Timestamp,"%a %B %e %T %Y")|table success_t Output_Timestamp Timestamp unique_field

When the above search query is ran,the result is not getting displayed for some events.The #1 logs displays the timestamp whereas #2 doesnt displays the Timestamp.

The sample logs are as follows

1)
SNM4 ASRRLUI.43U :: 04/04/14 18:18:44 :: Processing complete
SNM4 ASRRLUI.43U :: 04/04/14 18:18:44 :: .
SNM4 ASRRLUI.43U :: 04/04/14 18:18:44 :: .
SNM4 ASRRLUI.43U :: 04/04/14 18:18:44 :: .
SNM4 ASRRLUI.43U :: 04/04/14 18:18:41 :: User logged off, Processing will begin
SNM4 ASRRLUI.43U :: 04/04/14 18:18:41 :: All received data will be processed as SAF for BTWA3FLR

2)SNM4 BTWA3SLR.665F :: 05/14/14 18:24:24 :: User logged off, Processing will begin
SNM4 BTWA3SLR.665F :: 05/14/14 18:24:24 :: .
SNM4 BTWA3SLR.665F :: 05/14/14 18:24:24 :: .
SNM4 BTWA3SLR.665F :: 05/14/14 18:24:24 :: .
SNM4 BTWA3SLR.665F :: 05/14/14 18:24:28 :: Processing complete

Tags (1)
0 Karma

MuS
SplunkTrust
SplunkTrust

Hi Jananee_iNautix,

take a closer look at this eval you're using:

eval Output_Timestamp=strptime(success_t,"%y/%m/%d %H:%M:%S")

you want to have month at second place in success_t value, but look at the second example you provided:

SNM4 BTWA3SLR.665F :: 05/14/14 18:24:24 :: User logged off, Processing will begin
SNM4 BTWA3SLR.665F :: 05/14/14 18:24:24 ::  .
SNM4 BTWA3SLR.665F :: 05/14/14 18:24:24 ::  .
SNM4 BTWA3SLR.665F :: 05/14/14 18:24:24 ::  .
SNM4 BTWA3SLR.665F :: 05/14/14 18:24:28 :: Processing complete

what could be the 14th month of the year?
So, this is not the month but something different.

hope this helps ...

cheers, MuS

0 Karma

MuS
SplunkTrust
SplunkTrust

you're welcome. please mark this answered by ticking the tick - thx

0 Karma

Jananee_iNautix
Path Finder

Thanks....

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...